Exploring Neo4j by visualizing Google Cloud IAM hierarchy

Pavan Kumar Kattamuri
3 min readMar 14, 2021

--

Neo4j is a graph DBMS with native graph storage and processing, which can be used across fraud detection, social networking, recommendation engine, telecommunications etc. In this blog, I tried to use Neo4j for identity and access management by visualizing some dummy data which replicates Google Cloud IAM resource hierarchy, roles, permissions and Identities. This considers project level IAM grants and doesn’t consider granular resource level IAM policies like object level ACL’s. This is intended for exploration purposes and to learn more about GCP IAM, check out the official documentation.

GCP IAM Basics

  • Services — BigQuery,Storage,PubSub etc
  • Resources — Datasets, tables, buckets, objects etc. Each service can have multiple resources
  • Permissions — bigquery.datasets.get, bigquery.tables.create etc (permission is of the format servicename.resource.action)
  • Role — Each role contains multiple permissions and a role can be primitive/predefined/custom type
  • Identities — can be either a User or a Service Account. Each Identity can have multiple roles. User can act as(impersonate) service account and can do whatever the service account is allowed to

These basic concepts are used to create the nodes, labels, node properties, relationships in Neo4j.

Graph visualization

Visualize the entire database schema by running the below command

CALL db.schema.visualization()

Using the playground, clicking on few nodes I got this view to see more nodes to get a better representation of the actual data.

Visualize Identities and roles association

Get all the roles

MATCH (r:role) 
RETURN r.type AS role_type, r.name AS role

List all the identities (users and service accounts) and their associated roles

MATCH (i:identity)
OPTIONAL MATCH (i)-[:HAS_ROLES]->(r:role)
RETURN i.email AS Member, collect(r.name) AS Roles

List all service accounts

MATCH (i:serviceaccount)
RETURN i.email AS Service_Account

Get all service account details

This shows the roles which a service account has and who can impersonate this service account

MATCH (i:serviceaccount)
OPTIONAL MATCH (i)-[:HAS_ROLES]->(r:role)
OPTIONAL MATCH (u)-[:ACTS_AS]->(i)
RETURN i.email AS Email, collect(r.name) AS Roles, collect(u.email) AS Members_with_access_to_this_service_account

IAM Policy troubleshooter

Check out GCP IAM Policy troubleshooter to understand why a user has access to a resource or doesn’t have permission to call an API. Given a identity account, resource and a permission, the troubleshooter shows all the roles which has that permission and all the identities binded to that role. Below is a screenshot for reference. The highlighted box in the screenshot shows a match indicating the identity has permission to perform the given action

You can do something similar to Policy troubleshooter in our neo4j database by running the below query

MATCH (ro:role)-[:CONTAINS_PERMISSIONS]->(p:permission)
WHERE p.name=’bigquery.datasets.get’
OPTIONAL MATCH (i:identity)-[:HAS_ROLES]->(ro)
WITH ro.name AS role, collect(i.email) AS bindings
RETURN role, bindings, CASE WHEN ‘user1@gmail.com’ IN bindings THEN true ELSE false END AS has_permission

Below is the output in text format and graph vizualization

--

--

Pavan Kumar Kattamuri
Pavan Kumar Kattamuri

Written by Pavan Kumar Kattamuri

Platform Engineer | Cloud | GCP | AWS

No responses yet